GeatWall_2025
GeatWall_2025 wp
提权
ciscn&ccb-ISW 渗透 web-git
前言:个人打的最多的一个机子,赛后向学长和师傅要了wp整理复盘了一下 题目共包含五处flag 172.16.160.40 正常的思路是先进行nmap和dir nmap扫到了以下目录 25/tcp open smtp Postfix smtpd |_smtp-commands: work.com, PIPELINING, SIZE 10240000, VRFY, ETRN, ENHANCEDSTATUSCODES, 8BITMIME, DSN 80/tcp open http Apache httpd 2.4.6 ((CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/7.2.34) | http-git: | 172.16.160.40:80/.git/ | Git repository found! | Repository description: Unnamed repository; edit this file 'description' to name the... |_ Last commit message: flag commit | http-methods: | Supported Methods: GET HEAD POST OPTIONS TRACE |_ Potentially risky methods: TRACE |_http-title: Gitlab |_http-server-header: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/7.2.34 110/tcp open pop3 Dovecot pop3d ([XCLIENT]) |_ssl-date: TLS randomness does not represent time | ssl-cert: Subject: commonName=imap.example.com | Issuer: commonName=imap.example.com | Public Key type: rsa | Public Key bits: 3072 | Signature Algorithm: sha256WithRSAEncryption | Not valid before: 2022-11-28T16:40:31 | Not valid after: 2023-11-28T16:40:31 | MD5: e80c:698b:0ca6:1fc3:6d60:31eb:9cfc:b849 |_SHA-1: d211:674c:69e4:7c54:2152:3034:e88e:0562:011b:6362 |_pop3-capabilities: CAPA PIPELINING RESP-CODES STLS UIDL AUTH-RESP-CODE TOP SASL(PLAIN) USER 111/tcp open rpcbind 2-4 (RPC #100000) | rpcinfo: | program version port/proto service | 100000 2,3,4 111/tcp rpcbind | 100000 2,3,4 111/udp rpcbind | 100000 3,4 111/tcp6 rpcbind |_ 100000 3,4 111/udp6 rpcbind 143/tcp open imap Dovecot imapd | ssl-cert: Subject: commonName=imap.example.com | Issuer: commonName=imap.example.com | Public Key type: rsa | Public Key bits: 3072 | Signature Algorithm: sha256WithRSAEncryption | Not valid before: 2022-11-28T16:40:31 | Not valid after: 2023-11-28T16:40:31 | MD5: e80c:698b:0ca6:1fc3:6d60:31eb:9cfc:b849 |_SHA-1: d211:674c:69e4:7c54:2152:3034:e88e:0562:011b:6362 |_ssl-date: TLS randomness does not represent time |_imap-capabilities: Pre-login listed post-login have SASL-IR ENABLE LOGIN-REFERRALS more capabilities LITERAL+ STARTTLS ID IMAP4rev1 IDLE AUTH=PLAINA0001 OK 443/tcp open ssl/http Apache httpd 2.4.6 ((CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/7.2.34) | http-methods: | Supported Methods: GET HEAD POST OPTIONS TRACE |_ Potentially risky methods: TRACE |_http-title: Gitlab | http-git: | 172.16.160.40:443/.git/ | Git repository found! | Repository description: Unnamed repository; edit this file 'description' to name the... |_ Last commit message: flag commit | ssl-cert: Subject: commonName=localhost/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=-- | Issuer: commonName=localhost/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=-- | Public Key type: rsa | Public Key bits: 2048 | Signature Algorithm: sha256WithRSAEncryption | Not valid before: 2022-11-18T09:02:14 | Not valid after: 2023-11-18T09:02:14 | MD5: 3c47:9ba9:c35e:d7da:dd8d:92b8:5653:3f9e |_SHA-1: 67dc:6f7f:f385:fe12:d7a8:9d88:df12:b572:97db:f35a |_http-server-header: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/7.2.34 |_ssl-date: TLS randomness does not represent time 993/tcp open ssl/imap Dovecot imapd |_imap-capabilities: Pre-login post-login have SASL-IR ENABLE LOGIN-REFERRALS more listed capabilities LITERAL+ ID AUTH=PLAINA0001 IDLE IMAP4rev1 OK | ssl-cert: Subject: commonName=imap.example.com | Issuer: commonName=imap.example.com | Public Key type: rsa | Public Key bits: 3072 | Signature Algorithm: sha256WithRSAEncryption | Not valid before: 2022-11-28T16:40:31 | Not valid after: 2023-11-28T16:40:31 | MD5: e80c:698b:0ca6:1fc3:6d60:31eb:9cfc:b849 |_SHA-1: d211:674c:69e4:7c54:2152:3034:e88e:0562:011b:6362 |_ssl-date: TLS randomness does not represent time 995/tcp open ssl/pop3 Dovecot pop3d ([XCLIENT]) | ssl-cert: Subject: commonName=imap.example.com | Issuer: commonName=imap.example.com | Public Key type: rsa | Public Key bits: 3072 | Signature Algorithm: sha256WithRSAEncryption | Not valid before: 2022-11-28T16:40:31 | Not valid after: 2023-11-28T16:40:31 | MD5: e80c:698b:0ca6:1fc3:6d60:31eb:9cfc:b849 |_SHA-1: d211:674c:69e4:7c54:2152:3034:e88e:0562:011b:6362 |_pop3-capabilities: CAPA UIDL SASL(PLAIN) AUTH-RESP-CODE TOP RESP-CODES USER PIPELINING |_ssl-date: TLS randomness does not represent time 3306/tcp open mysql MySQL (unauthorized) 9999/tcp open http nginx 1.24.0 |_http-server-header: nginx/1.24.0 |_http-title: 403 Forbidden flag1 根据信息是有git的,使用githack进行恢复,其中有一个flag.php,其中显示的是no here,可以使用git log进行查询 ...